Ashley Madison Users Face Threats of Blackmail and Identity Theft

First, members of the adultery website Ashley Madison had their personal information unveiled to the world by hackers. Now, a bigger threat looms.

Scammers and extortionists have been combing for targets through the data on 30 million to 40 million Ashley Madison users, stolen by a group calling itself The Impact Team and dumped online earlier this month.

Police officials in Toronto said they had already seen several instances of such spinoff crimes, including extortion attempts.

Darius Fisher, the president of the reputation management firm Status Labs, said he had multiple clients who have received emails threatening to expose their use of the site if they do not send bitcoins to their blackmailers.

But Ashley Madison users are also being confronted with more subtle scams.

They are “vulnerable to any offer to help them handle the situation in any way really,” said Stephen Cobb, a digital security expert at the software company ESET.

Scammers could use data from the breach to trick victims into giving up more information, or even to hack into their computers to wreak further havoc. Such attacks are likely to continue for weeks and months, experts say.

“It’s important to understand that the attackers are clever,” said Itay Glick, the chief executive of the cybersecurity company Votiro. “They don’t need to use the information today; they can use it two weeks from today or one month from today.”

The path to installing malicious software onto an unsuspecting target’s computer can be simple. Using email addresses and information gleaned from the initial data dump, fraudsters can craft convincing so-called phishing emails that trick their recipients into revealing sensitive personal information.

Malware can also be delivered through websites offering to scrub Ashley Madison users’ records from the web, a promise that Mr. Cobb said was impossible to deliver on.

Once a computer is infected, criminals can gain access to bank accounts, steal passwords and “do anything you can do on the machine, basically,” said Israel Levy, the chief executive of Bufferzone, a cybersecurity company.

It is not just Ashley Madison users who are vulnerable. People interested in the identity of the website’s members are also falling prey to attacks.

Targeted messages and spurious websites that offer to reveal the identities of Ashley Madison users are being used as bait to lure suspicious spouses and human resources managers into clicking on malicious links.

The technology company Symantec said it had detected an “upsurge” in email activity of this sort, and had blocked multiple domain names including ashleymadisonaccounts.com and ashleymadisonlegalaction.com.

“The bad guys are trying to take advantage of the fact that people are very curious, and as they say, curiosity kills the cat,” Mr. Levy said.

Mr. Cobb said: “Steer clear of anything to do with Ashley Madison is probably the most useful advice. Unless you really understand data and information security, responding to anything related to Ashley Madison could be problematic.”